### [CVE-2024-39909](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-39909)
![](https://img.shields.io/static/v1?label=Product&message=kubeclarity&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%202.23.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-89%3A%20Improper%20Neutralization%20of%20Special%20Elements%20used%20in%20an%20SQL%20Command%20('SQL%20Injection')&color=brighgreen)

### Description

KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. A time/boolean SQL Injection is present in the following resource `/api/applicationResources` via the following parameter `packageID`. As it can be seen in backend/pkg/database/id_view.go, while building the SQL Query the `fmt.Sprintf` function is used to build the query string without the input having first been subjected to any validation. This vulnerability is fixed in 2.23.1.

### POC

#### Reference
- https://github.com/openclarity/kubeclarity/security/advisories/GHSA-5248-h45p-9pgw

#### Github
No PoCs found on GitHub currently.